Personal Data Breaches - Your Data "In The Wild"

One in three Americans was exposed as a potential victim of Identity Theft in 2006. Most all of these breaches involve the transport of portable unencrypted data being compromised through neglect, theft or outright stupidity on the part of the stewards of the data. Don't be a victim. Don't have to be the one that explains to your boss, your clients or worse even yet, a judge or jury that you did not take proper and adequate measures to protect valuable data with which you are entrusted.

Running Total for 2007 as of February 12th - a minimum of

22,512,946

Individual Records Were Illegally Breached.
The National Pandemic of Stupidity Continues... Are You on the List?

Monday, February 12, 2007

Just like last time, the information slowly trickles out about the breach at the Veterans Administration. Again, just as in the last case, they have made and will continue to make "revisions" to the amount of data that was actually lost. These revisions are always UP and involve new and shocking information with each release. The latest revision was released on a SUNDAY - yet again showing the VA's habit of releasing information on a holiday, weekend or at other times in an effort to "slide by" the media and the public.

How about a full-blown press conference Mr. Nicholson - say at 2:00PM on a Wednesday - with 2 business days notice to the national and local press, full disclosure of all events and facts and a question & answer period at the end? I am sure you could find time in your schedule to enlighten the American people that pay your salary and actually fund the VA.

This UPdate pegged the number of VA Individuals that were affected was 535,000 (Not the 48,000 with only 20,000 records "unencrypted" as stated previously) and the real shocker this time is that there were additional NON-VA records of 1.3 million private Physicians although the VA states that only "some of the files contain personal information".

Whom and What to believe are the real questions here. The VA should know by now after 4 weeks exactly what information was on the hard drive and should disclose everything - not just feed us bit-by-bit hoping that no-one will put the information together.

WASHINGTON -- The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala.

“Our investigation into this incident continues, but I believe it is important to provide the public additional details as quickly as we can,” said Jim Nicholson, Secretary of Veterans Affairs. “I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened.

“VA will continue working around the clock to determine every possible detail we can,” Nicholson said.

VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians — both living and deceased— could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information.

VA continues to examine data on the employee’s work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused.

The non-VA physician data is used by VA to enhance the quality of care for veterans by analyzing and comparing information about the health care received from VA and non-VA providers.

Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised.

“VA is unwavering in our resolve to bolster our data security measures,” Nicholson added. “We remain focused on doing everything that can be done to protect the personal information with which we are entrusted.”

On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA’s IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA’s Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.

The OIG seized the employee’s work computer and began analyzing its contents. This analysis continues and VA IT staff has been providing technical support.

In addition to the ongoing criminal investigation, the OIG initiated an administrative investigation to determine how such an incident could occur.

VA is operating a call center that individuals can contact to get information about this incident. That toll-free number is 1-877-894-2600. The call center will operate every day from 7 a.m. to 9 p.m. CST as long as it is needed.

Congress passed sweeping legislation in 1999 to require "financial institutions" to protect their customers data. While traditional tax preparers aren't considered financial institutions, they do collect and warehouse private financial data and ARE subject to this rule.

Even though you "think" it may not apply to you, read on... It very well might.

Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

Here's a brief look at the basic financial privacy requirements of the law.

Financial Institutions

The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

Press Release from the AICPA, Washington, DC, October 13, 2006—The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice. The exemption is effective immediately.

Tax Preparers are however NOT currently exempt from the Security Rule of 15USC Sec. 6801 - which states:

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -

(1) to insure the security and confidentiality of customer records and information;

(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington.

She believes someone knew her computer possessed valuable information. “I had money in here. I had checks and nothing was taken, just the computer,” says Kirstein. “If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there.”

Between 1:00 a.m. and 3 a.m. a neighbor saw headlights in the CTS parking lot. Footprints in the snow lead police to believe that more than one person broke in the back door. “We're urging anyone who had an account with CTS to contact the credit bureaus and put a fraud alert on, as well as contact their banking institutions,” suggests Captain Lindon Parrish of the Cass County Sheriff’s Department.

“I'm putting flags on my accounts,” says CTS client Vicki Vaughn. “I have to change some of the accounts right now because they said they can not do it over the phone.”

Carlotta is offering a $5,000 reward to help catch the thieves. If those people are watching Carlotta would like to say, “Shame on you! How can you do this to somebody else? How can you do this?” And to anyone who may know who did this, “please come forward,” she pleads. “Please tell, too many lives depend on this.”

To report information that could lead to that reward call the Cass County Sheriff's Department at 269-445-1560. If you are a client of CTS and you'd like to report fraudulent activity on your accounts call 269-445-1244.

Saturday, February 03, 2007

Hard drive that may contain personal data on veterans missing in Birmingham, Ala.

ASSOCIATED PRESS - 9:12 p.m. February 2, 2007

WASHINGTON – A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.

An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. It may have contained data from research projects, the department said.

The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.

Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.

Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.

Commentary - Credit monitoring? Same old tired response to an epidemic of stupidity. Secure the Data Already!

Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.

Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive?

To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.

The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!

Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:

Like the breach last year, this data breach was not exposed for two weeks after it was known by the VA. The culture of denial and cover-up is alive and well at the VA.

“I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.

This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.

Like the breach last year, the theft of data was handled by the VA Inspector General, this time however they did bring in the FBI.

In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.

On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.

Just like last time Mr. Nicholson tauted his "resolve to be the leader in protecting personal information". This statement would be almost laughable if it wasn't such a serious threat to both personal liberty and national security.

In his statement last year:

"VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.

But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."

A year later:

"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."

Same Song, Same Dance, Different Day ... The Potomac Two-Step. The VA is seriously delinquent in the formation and enforcement of their policies and then they try to pull the wool over the publics eyes by leaking information little-by-little in an effort to spin the damage.

The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:

"As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.

"I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the Data Security-Assessment and Strengthening of Controls program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.

One existing Security Guideline, Security Guideline for Single-User Remote Access, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be encrypted and password protected. If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.

Point ONE: Secretary Nicholson should be fired.

Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.

Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.

Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.

Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.

The VA implemented Directive 6500 on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?

WASHINGTON (Feb. 2, 2007) -- The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen.

"I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved."

On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved.

On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.

The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. Analyzing the work computer may help investigators determine the nature of the information the hard drive potentially contained.

Pending results of the investigation, VA is prepared to send individual notifications and provide one year of free credit monitoring to those whose information proves compromised.

In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information.

"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."

The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.

The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach.

"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site and established a telephone hotline to address claimant concerns."

The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."

The hotline number is 1-800-323-3249, ext. 560. (AP)Posted by Boston Globe Business Team at 12:27 PM

Bank files class-action lawsuit against retailer

WASHINGTON -- TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.

The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.

Other banks and financial institutions could join in the suit.

The Globe says the Massachusetts Credit Union League is also asking Framingham-based TJX to reimburse credit unions for the costs of reissuing credit cards.

A class-action lawsuit was filed earlier this week on behalf of consumers.

Vermont State was warned of potential computer security breach(iQBio Commentary - "AN UNSECURED COMPUTER DIRECTLY ON THE INTERNET WITH SENSITIVE DATA?" This is the absolute pinnacle of stupidity. Anyone involved with this breach should be fired, sued and promptly run out of town.)MONTPELIER, Vt. --A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday.

An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system."

The report goes on to say the patches released in August "were downloaded but never applied on this system."

The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments.

Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said.

The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet.

As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities.

"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday.

The internal state report pointed to more direct personal involvement.

"Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text.

Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files."

Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system.

The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8.

Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services.

"All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said.

At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members."

Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection.

"We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here."